CCTV systems are a familiar management tool in businesses, particularly in offices, factories, warehouses, and customer-facing areas. However, from a personal data protection perspective, installing cameras should not be treated merely as an operational or security decision.

What matters is that businesses clearly define the purpose of surveillance, the scope of monitored areas, the retention period of recorded footage, and who has access to such data. If the objective is to ensure security, prevent incidents, or protect assets, the system configuration should align with those purposes—rather than being expanded by default without clear limits.

Risks often arise when CCTV coverage exceeds actual operational needs, footage is retained longer than necessary, or access to data lacks proper controls. In such cases, a tool intended for management can become a compliance and risk management vulnerability.

A practical tip for internal review: Before installing a new system or reviewing an existing one, businesses should conduct a workplace CCTV review with the involvement of business, HR, legal, and IT/security teams.

Mini-checklist:

• Clearly define the purpose of CCTV use in each area;

• Assess whether the recording scope exceeds actual management needs;

• Review data retention periods for recorded footage;

• Restrict the number of individuals authorized to access and extract data;

• Assign a responsible point of contact for system management and periodic review.

Businesses do not need to avoid using CCTV. What is essential is to demonstrate that its use is based on a clear purpose, within an appropriate scope, and accompanied by proportionate control measures.

Legal reference: Law on Personal Data Protection No. 91/2025/QH15 and its implementing regulations, particularly provisions on data processing principles, transparency, purpose limitation, and data security.

CTA: A suggested checklist for reviewing workplace CCTV systems is available at the following link:

https://drive.google.com/file/d/1Gem8OUm5o1gbGcj3YCh7A9AaKaKjRaLT/view?usp=sharing

💌 Next post: Privacy notice, internal policy and consent – where do businesses commonly get it wrong?

-------------------------------

Article: Prepared by LLVN.

Image: LLVN

-------------------------------

𝐂𝐨𝐧𝐭𝐚𝐜𝐭 𝐮𝐬

Website: www.lawlink.com

Instagram: lawlink.vietnam

Facebook: Lawlink Vietnam

Phone: +84 908107788

Address: Unite 22.02, Aqua 1, Vinhomes Golden River, No. 2 Ton Duc Thang, HCM